Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 11:56
Static task
static1
Behavioral task
behavioral1
Sample
f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe
Resource
win10v2004-20241007-en
General
-
Target
f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe
-
Size
37KB
-
MD5
8c0acc2a76a963f1aa4b6dffe44738d3
-
SHA1
eb173333dc2147f18dbaf529def4e714cd00be8c
-
SHA256
f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be
-
SHA512
1a3e8697ca7bde81da2be1207149564c6197810941c32b47eb3f78091fb868228ffd2b6768496dcfe9b8e9a680487eba295fb7fe1dab5fb8a22d8093eb7f81f1
-
SSDEEP
768:ePyFZFASe0Ep0EpHZplRpqpd6rqxn4p6vghzwYu7vih9GueIh9j2IoHAcBHUIFvq:e6q10k0EFjed6rqJ+6vghzwYu7vih9GE
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4032 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 4032 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language microsofthelp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4676 wrote to memory of 4032 4676 f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe 83 PID 4676 wrote to memory of 4032 4676 f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe 83 PID 4676 wrote to memory of 4032 4676 f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe"C:\Users\Admin\AppData\Local\Temp\f4697f6b22d0b23fd1acd67a5fb52b34cecd91125594f5a9ffe37b060f1ff9be.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD578eb46c4e0f521b169bf23cd6c1fd5a0
SHA151e8eb50ab26cfdbc853262c422bcdd56d225f93
SHA2568371c8862290ccbb084743433361395a4adf2aa6dbf21ac7b9cbe323e69c1ef0
SHA51293f9165b64446f30ad8d84bd492b40460d51ee3ad7411c2a8fad1c59722610e3e89c1b79910629e26ddafd7cfb6da659057bf747f1dcba66ec2b6ecb7d28858f